feature: Add security group as input

.gitignore

@@ -8,5 +8,8 @@
 # .tfvars files
 *.tfvars
 
+# Terraform Lock file
+.terraform.lock.hcl
+
 # CheckOv pre-commit external modules path
 **/.external_modules/*

README.md

@@ -76,6 +76,7 @@ No modules.
 | <a name="input_s3_key"></a> [s3\_key](#input\_s3\_key) | The S3 key of an object containing the function's deployment package | `string` | `null` | no |
 | <a name="input_s3_object_version"></a> [s3\_object\_version](#input\_s3\_object\_version) | The object version containing the function's deployment package | `string` | `null` | no |
 | <a name="input_security_group_egress_rules"></a> [security\_group\_egress\_rules](#input\_security\_group\_egress\_rules) | Security Group egress rules | <pre>list(object({<br>    cidr_ipv4                    = optional(string)<br>    cidr_ipv6                    = optional(string)<br>    description                  = string<br>    from_port                    = optional(number, 0)<br>    ip_protocol                  = optional(string, "-1")<br>    prefix_list_id               = optional(string)<br>    referenced_security_group_id = optional(string)<br>    to_port                      = optional(number, 0)<br>  }))</pre> | `[]` | no |
+| <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | The security group(s) for running the Lambda within the VPC. If not specified a minimal default SG will be created | `list(string)` | `[]` | no |
 | <a name="input_security_group_name_prefix"></a> [security\_group\_name\_prefix](#input\_security\_group\_name\_prefix) | An optional prefix to create a unique name of the security group. If not provided `var.name` will be used | `string` | `null` | no |
 | <a name="input_source_code_hash"></a> [source\_code\_hash](#input\_source\_code\_hash) | Optional source code hash | `string` | `null` | no |
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | The subnet ids where this lambda needs to run | `list(string)` | `null` | no |
@@ -92,7 +93,7 @@ No modules.
 | <a name="output_name"></a> [name](#output\_name) | Function name of the Lambda |
 | <a name="output_qualified_arn"></a> [qualified\_arn](#output\_qualified\_arn) | Qualified ARN of the Lambda |
 | <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | ARN of the lambda execution role |
-| <a name="output_security_group_id"></a> [security\_group\_id](#output\_security\_group\_id) | If the Lambda is deployed into a VPC this will output the security group id |
+| <a name="output_security_group_id"></a> [security\_group\_id](#output\_security\_group\_id) | If the Lambda is deployed into a VPC this will output the genetered security group id (if no security groups are specified) |
 | <a name="output_version"></a> [version](#output\_version) | Latest published version of the Lambda function |
 <!-- END_TF_DOCS -->
 

main.tf

@@ -9,6 +9,7 @@ locals {
   source_code_hash           = var.source_code_hash != null ? var.source_code_hash : var.filename != null ? filebase64sha256(var.filename) : null
   tracing_config             = var.tracing_config_mode != null ? { create : true } : {}
   vpc_config                 = var.subnet_ids != null ? { create : true } : {}
+  security_group_ids         = length(var.security_group_ids) > 0 ? var.security_group_ids : [aws_security_group.default[0].id]
 }
 
 data "aws_iam_policy_document" "default" {
@@ -72,7 +73,7 @@ data "aws_subnet" "selected" {
 
 resource "aws_security_group" "default" {
   #checkov:skip=CKV2_AWS_5: False positive finding, the security group is attached.
-  count = var.subnet_ids != null ? 1 : 0
+  count = var.subnet_ids != null && length(var.security_group_ids) == 0 ? 1 : 0
 
   name        = var.security_group_name_prefix == null ? var.name : null
   name_prefix = var.security_group_name_prefix != null ? var.security_group_name_prefix : null
@@ -86,7 +87,7 @@ resource "aws_security_group" "default" {
 }
 
 resource "aws_vpc_security_group_egress_rule" "default" {
-  for_each = var.subnet_ids != null && length(var.security_group_egress_rules) != 0 ? { for v in var.security_group_egress_rules : v.description => v } : {}
+  for_each = var.subnet_ids != null && length(var.security_group_ids) == 0 && length(var.security_group_egress_rules) != 0 ? { for v in var.security_group_egress_rules : v.description => v } : {}
 
   cidr_ipv4                    = each.value.cidr_ipv4
   cidr_ipv6                    = each.value.cidr_ipv6
@@ -204,7 +205,7 @@ resource "aws_lambda_function" "default" {
 
     content {
       subnet_ids         = var.subnet_ids
-      security_group_ids = [aws_security_group.default[0].id]
+      security_group_ids = local.security_group_ids
     }
   }
 

outputs.tf

@@ -24,8 +24,8 @@ output "role_arn" {
 }
 
 output "security_group_id" {
-  value       = var.subnet_ids != null ? aws_security_group.default[0].id : ""
-  description = "If the Lambda is deployed into a VPC this will output the security group id"
+  value       = try(aws_security_group.default[0].id, "")
+  description = "If the Lambda is deployed into a VPC this will output the genetered security group id (if no security groups are specified)"
 }
 
 output "version" {

variables.tf

@@ -176,6 +176,12 @@ variable "s3_object_version" {
   description = "The object version containing the function's deployment package"
 }
 
+variable "security_group_ids" {
+  type        = list(string)
+  default     = []
+  description = "The security group(s) for running the Lambda within the VPC. If not specified a minimal default SG will be created"
+}
+
 variable "security_group_egress_rules" {
   type = list(object({
     cidr_ipv4                    = optional(string)